Addressing U.S. cybersecurity concerns through biometrics
By Bob Eckel
This article first appeared on Biometric Update.
In 2020, a major U.S. information technology firm was hacked, exposing sensitive material from over 18,000 of its customers, many of which included government agencies such as the Treasury Department and the Department of Homeland Security. Not long afterward, the largest fuel pipeline in the United States was the victim of a ransomware attack, resulting in widespread shortages and consumer panic.
Unfortunately, attacks such as these are no longer uncommon. They expose the need for government agencies and private companies to bolster their cybersecurity efforts, secure their supply chains, and improve their authentication and need-to-know methods to keep their assets–and those of their customers–in safe hands. In May 2021, the U.S. government took action against these worrisome trends, signing the “Executive Order on Improving the Nation’s Cybersecurity.” Below we will discuss what that executive order entails, the authentication solutions currently in use by the federal government, and the critical next steps that should be taken to enhance cybersecurity protocols and protect against these troublesome trends.
The “Executive Order on Improving the Nation’s Cybersecurity”
The “Executive Order on Improving the Nation’s Cybersecurity” was signed by President Biden in direct response to the growing threat of large-scale data breaches and the related access control challenges the government faced during the COVID-19 pandemic. Across eight sections the executive order detailed the actions the U.S. federal government must take within one year to improve the nation’s detection, mitigation and remediation of cyberthreats.
One key component of Biden’s executive order was the requirement of government agencies to adopt multi-factor authentication processes for physical and digital access. Section 3 of the executive order specifically cited the need for enhanced authentication practices within the federal government, mandating that “within 180 days of the date of this order, agencies shall adopt multi-factor authentication.” The cybersecurity order also mandated the continued use of smart cards within the government for physical and digital access control, so long as they combine it with multi-factor authentication for additional security, instead of usernames and passwords.
Where U.S. cybersecurity stands
Securing one’s cybersecurity and supply chains is all about data access. It’s vital to know who currently has access and whether that level of access is appropriate. Currently, most physical and digital access within the U.S. federal government requires the use of smart cards. The most common of these are Personal Identity Verification (PIV) cards and Common Access Cards (CAC), both of which are designed to grant the holder access to a physical location, a secure terminal, or both. Should a card become lost or unavailable, however, the successful combination of a username and password will continue to permit the user access in many cases.
Unfortunately, with the continuing rise of data breaches and cyberattacks, passwords have been shown to be an increasingly insecure method to protect sensitive assets, especially within the federal space. Passwords are increasingly unreliable as an authentication method, as they can be stolen or guessed at by malicious parties. Hackers are getting increasingly better at uncovering or bypassing passwords too, and as a result, using passwords as the sole means of access to government assets when a PIV or CAC card is unavailable is growing riskier by the day.
The COVID-19 pandemic made matters worse as well, effectively halting most PIV or CAC card issuance since the procedure was reliant on performing the process in person. As a result, the usage of usernames and passwords as the sole means of physical and digital access rose sharply in 2020, further increasing federal cybersecurity vulnerabilities, and highlighting the urgent need for a more secure multi-factor approach.
Critical next steps
With cyberattacks on the rise and a mandate in place to address these troublesome trends, many steps need to be taken immediately to ensure the challenge is met. The first, and most critical step, is the adoption of biometric-based authentication methods in place of passwords.
The most important reason for this is that biometrics are inherently more secure than passwords as an authentication method. This is because they use something a person is (their unique physical characteristics) instead of something a person has or knows. Passwords and physical access cards can be stolen, leaving them and the agencies issuing them vulnerable to attack. Biometrics, however, are far more secure, typically performing a face, voice or iris match within seconds, and in conjunction with liveness detection, ensures the user is a real live person, and not printed image, video recording or mask.
Modern day biometrics are also mobile, allowing for convenient access and functionality from any smartphone or device. Instead of typing in a password or access code, authorized individuals can simply present their face and/or voice to the device and be granted secure access within seconds. As a convenient, frictionless, and most importantly, secure alternative to passwords, biometric technology is the ideal solution for government agencies and private enterprises looking to replace their fraud-prone authentication methods.
The future of cybersecurity lies with biometrics
The simple fact is government agencies and private companies can no longer afford to rely on insecure password-based authentication methods to protect their assets and supply chains. With government agencies left with less than one year to implement more secure multi-factor authentication solutions, and large-scale data breaches and cyberattacks on the rise, the clear choice to both address this need and create a strong foundation for the future is with biometric technology.
Today’s biometric solutions offer unparalleled security against hackers and ransomware attacks, are flexible enough to be used for virtually any use case and via nearly any mobile device, are typically faster than traditional multi-factor methods, and provide a high level of convenience for users. With so many benefits over existing authentication methods, biometrics are a clear choice for those looking to protect themselves and their sensitive assets for the next year and beyond.
About the Author
Bob Eckel is the President and CEO of Aware, Inc. Mr. Eckel also serves on the board of directors for the International Biometrics + Identity Association (IBIA), as a strategic advisory board member of Evolv Technology, and as a consultant for Digimarc Corporation. Mr. Eckel has received his Master’s degree in Electrical Engineering from the University of California Los Angeles, and his Bachelor’s degree in Electrical Engineering from the University of Connecticut.
ARTICLE | 4 minute read
The holy grail of ID safety & convenience? It's all in the timing